4.13 Cross realm

Suppose you reside in the realm `MY.REALM', how do you
authenticate to a server in `OTHER.REALM'? Having valid tickets in
`MY.REALM' allows you to communicate with Kerberised services in that
realm. However, the computer in the other realm does not have a secret
key shared with the Kerberos server in your realm.

It is possible to share keys between two realms that trust each
other. When a client program, such as telnet or ssh,
finds that the other computer is in a different realm, it will try to
get a ticket granting ticket for that other realm, but from the local
Kerberos server. With that ticket granting ticket, it will then obtain
service tickets from the Kerberos server in the other realm.

For a two way trust between `MY.REALM' and `OTHER.REALM'
add the following principals to each realm. The principals should be
`krbtgt/OTHER.REALM@MY.REALM' and
`krbtgt/MY.REALM@OTHER.REALM' in `MY.REALM', and
`krbtgt/MY.REALM@OTHER.REALM' and
`krbtgt/OTHER.REALM@MY.REALM'in `OTHER.REALM'.

In Kerberos 5 the trust can be configured to be one way. So that
users from `MY.REALM' can authenticate to services in
`OTHER.REALM', but not the opposite. In the example above, the
`krbtgt/MY.REALM@OTHER.REALM' then should be removed.

The two principals must have the same key, key version number, and the
same set of encryption types. Remember to transfer the two keys in a
safe manner.